ENISA report on smartphone security

On December 10, 2010, the ENISA (European Network and Information Security Agency) released a report regarding security risks and opportunities of using smartphones. This is a high level study that applies to any smartphone, and does not go into the details of the technical features for any particular smartphone (iPhone, Blackberry, Android and Symbian are however mentioned in the examples).

One interesting aspect is that the study is not focused only on business usages but also covers consumer usages. This is particularly relevant because, as mentioned in the study, even in a business context, the user will combine the personal and professional usages of his/her smartphone. In fact, the study identifies three standard profiles:

• Customer
• Employee
• High official

The risk analysis was constructed by asking an expert committee to identify the 10 most significant risks associated with smartphones. In addition to this risk analysis, the report also identifies 20 recommendations to address these risks and lists 7 opportunities (i.e. benefits) that are specific assets available on smartphones to provide a better security.

We give below the list of the 10 top risks identified by ENISA and a summary of the recommendations. More details can be obtained by reading the 3 pages "Executive Summary" of the study or, of course, in the study itself

The risks

The ten most significant risks identified by ENISA are listed below (in descending order).

• R1: Data leakage if the smartphone is lost or stolen.
• R2: Improper decommissioning (without removing sensitive data).
• R3: Unintentional data disclosure because installed apps send data on Internet.

Note: As an example for this risk, ZDnet.fr published in December 2010 an article entitled "The mobile apps are becoming more intrusive" which indicates that 47% of smartphone applications are sending personal data without users' knowledge. This French article refers to this article published by The Washington Post: Your Apps Are Watching You.

• R4: Phishing via SMS or emails sent to the smartphone.
• R5: Spyware (malicious apps which steal data on the smartphone)

Note: The "Geinimi" Trojan which was discovered late 2010 and aimed at Android phones is a recent example of a malware targeting smartphones. It is considered as the most sophisticated malware currently seen on smartphone.

• R6: Network traffic interception (via a rogue WiFi access point).
• R7: Surveillance: spying on an individual (via a specific apps installed on the smartphone).
• R8: Diallerware that causes calls to premium SMS services or numbers.
• R9: Financial malware targeting banking apps.
• R10: Network congestion caused by legitimate apps.

The recommendations

The report provides a set of measures to apply to counter each identified risks. These recommendations are gathered depending on the type of usage (consumers, employees, high officials). Generally, recommendations for simple consumers must be applied to employees, and those for employees to high officials.

Consumers

• Configure the smartphone so that it locks automatically after some minutes of inactivity.
• Check reputation before installing a new service or application (insure it is trustworthy).
• Scrutinize the permission requests (to access to personal data) of the installed apps.
• Reset and wipe before disposing or recycling a smartphone.

Employees

• Apply a thorough decommissioning procedure (including memory wipe processes) before decommissioning or recycling a smartphone.
• Application installation: define and apply an application white list approach where only approved apps may be installed.
• For confidentiality: use a memory encryption tool for the smartphone memory and removable media.

High officials

• Do not store confidential data on the smartphone.
• Use an additional call and SMS encryption software to guarantee an end-to-end confidentiality.
• Periodically wipe and reload smartphones with a specially prepared disk image.

Conclusion

Including smartphone usage in the organisation security policy is a growing concern for most of the CSO, and the release of this ENISA study is therefore just in time to cover that need. It is a must-have-read resource. It does not provide an answer or a guideline to select a technical solution for managing a fleet of smartphones, but it provides an accurate panel of the top risks induced by smartphone usage.

The identified risks are sometime straightforward, and focus first on inadvertent data leakage (device loss, bad decommissioning procedure, installed apps sending away too much data). But this is exactly the kind of risks that are easy to counter once they have been identified. These inherent weaknesses actually create a fertile ground for attackers and malware. And this is probably why, for example, McAfee identifies smartphones as one of the 9 top risks in its 2011 security threats report published on December 28, 2010.

For more information:

• ENISA report:
  http://www.enisa.europa.eu/act/it/oar/smartphones-information-security-risks-opportunities-and-recommendations-for-users/at_download/fullReport